How can I persist Facebook access tokens when using Flask and rauth?

Question

When I perform a get_authorize_url request to facebook, I am redirected to the following URL (seen in the browser):

http://127.0.0.1:5000/#access_token=sdfsdfasfaf&expires_in=5849

But I am unable to obtain this access_token in flask: it is not in request.args, it is not in request.query_string, it is not even there in request.url. Maybe flask is having trouble with the # character? How can I access that query parameter?

This is the relevant part of my code (derived from the rauth facebook-cli example):

# rauth OAuth 2.0 service wrapper
graph_url = 'https://graph.facebook.com/'
facebook = OAuth2Service(name='facebook',
                         authorize_url='https://www.facebook.com/dialog/oauth',
                         access_token_url=graph_url + 'oauth/access_token',
                         client_id=app.config['FB_CLIENT_ID'],
                         client_secret=app.config['FB_CLIENT_SECRET'],
                         base_url=graph_url)

...

@app.route('/facebook/login')
def login():
    redirect_uri = url_for('authorized', _external=True)
    params = {'scope': 'read_stream',
              'response_type': 'token',
              'redirect_uri': redirect_uri}
    return redirect(facebook.get_authorize_url(**params))

@app.route('/facebook/authorized')
def authorized():
    # I am not able to find the access_token
    print dir(request)
    print request.args
    print request.query_string
    print request.url

    ...

Answer 1

The part of URI marked by '#' is called fragment identifier. It is not transmitted to the server and can be processed on client side only, by JS, for example.

Answer 2

If you follow the Facebook Flask example and use the code response, there's no need for any JavaScript. In fact in general that is not a requirement for OAuth consumers.